WebSphere® Application Server for z/OS® supports
access to resources by clients and servers in a distributed environment.
Determine how to control access to these resources and prevent inadvertent
or malicious destruction of the system or data.
These are the pieces in the distributed
network that you must consider:
- You must authorize
servers to the base operating system services
in z/OS. These services include System Authorization
Facility (SAF) security, database management, and transaction management.
- For the server clusters, you must distinguish between
controllers
and servants. Controllers run authorized system code, so they are
trusted. Servants run application code and are given access to resources,
so carefully consider the authorization you give servants.
- You
must also distinguish between the level of authority for run-time
servers and for your own application servers have. For example, the
node needs the authority to start other clusters, while your own
application clusters do not need this authority.
- You
must authorize clients (users) to servers and objects within
servers. The characteristics of each client requires special consideration:
- Is the client on the local system or is it remote?
The security
of the network becomes a consideration for remote clients.
- Will
you allow unidentified (unauthenticated) clients to access
the system? Some resources on your system might be intended for public
access, while others you might need to protect. To access protected
resources, clients must establish their identities and have authorization
to use those resources.
- Authentication is
the process of establishing the identity
of a client in a particular context. A client can be an end user,
a machine, or an application. The term authentication mechanism in WebSphere Application Server on z/OS refers
more specifically to the facility in which WebSphere identifies
an authenticated identity, using HTTP and Java Management
Extensions (JMX) facilities. When configuring a cell, you must select
an authentication mechanism. The choices for authentication mechanism
include:
- Information
about users and groups reside in a user registry.
In WebSphere Application Server, a user registry
authenticates a user and retrieves information about users and groups
to perform security-related functions, including authentication and
authorization. Implementation is provided to support multiple operating
system or operating environment-based user registries. When configuring
a cell, you must select a single user registry. The user registry
can be local or remote. The choices for user registry include:
- SAF-based local registry (default when a z/OS security
product
is chosen for administrative security during customization)
- Standalone Lightweight Directory Access Protocol (LDAP) registry
- LDAP can be either a local or remote registry
- Stand-alone custom user registry - A custom user registry is set
up to meet unique registry needs. WebSphere Application
Server provides a simple user registry sample called the FileBasedRegistrySample.
- Federated repositories (default when the WebSphere Application
Server is chosen for administrative security during customization)
If you need to protect resources, it is critical
that you identify
who accesses those resources. Thus, any security system requires client
(user) identification, also known as authentication. In a distributed
network supported by WebSphere Application Server
for z/OS, clients can access resources from:
- Within the same system as a server
- Within
the same sysplex as the server
- Remote z/OS systems
- Heterogeneous systems, such as WebSphere Application
Server on distributed platforms, Customer Information Control System
(CICS®), or other Java Platform,
Enterprise Edition-compliant systems.
Additionally,
clients can request a service that requires a server
to forward the request to another cluster. In such cases, the system
must handle delegation, the availability of the client identity for
use by intermediate clusters and target clusters.
Finally,
in a distributed network, how do you verify that messages
being passed are confidential and have not been tampered? How do you
verify that clients are who they claim to be? How do you map network
identities to z/OS identities? These issues are addressed
by the following support in WebSphere Application Server
for z/OS:
- The use of Secure
Sockets Layer (SSL) and digital certificates
- Kerberos
- Common
Secure Interoperability, Version 2 (CSIv2)
- Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
- Distributed identity mapping feature in SAF